4 Replies Latest reply on Dec 26, 2017 10:27 AM by Intel Corporation

    Got different result from Intel-SA-00086

    ccjchow

      I got two different versions of Intel-SA-00086 detection tool downloaded at different times (7 Dec - product version: 1.0.0135 &14 Dec -product version: 1.0.0.146), I used them to detect the recent Intel CPU ME/SPS/TXE vulnerability in my HP EliteDesk 800 G1 SFF that installed with a Intel i7-4770 CPU. But I got two opposite results, the earlier one detected "This system is not vulnerable" and the later detected "This system is vulnerable".

      According to the Intel weblage, only Intel 6th, 7th and 8th generation Intel Core Processers are affected in this Intel® Management Engine vulnerability, my CPU is 4th generation, that means it should not be vulnerable, is my understanding correct? Please help me to clarify if my system is vulnerable or not.

       

      The followings are the testing results:

        • 1. Re: Got different result from Intel-SA-00086
          Intel Corporation
          This message was posted on behalf of Intel Corporation

          Hi ccjchow,

          We did incorporate some new checks for older systems starting with version 1.0.0.146 of the detection tool. 
          We've added this note to the description for the download:
          Note: Versions of the INTEL-SA-00086 Detection Tool earlier than 1.0.0.146 did not check for CVE-2017-5711 and CVE-2017-5712. These CVE's only affect systems with Intel Active Management Technology (Intel AMT) version 8.x-10.x.  Users of systems with Intel AMT 8.x-10.x are encouraged to install version 1.0.0.146, or later, to help verify the status of their system in regards to the INTEL-SA-00086 Security Advisory.

          HP seems to have most of their updates posted.  Check this page for the update for exact system: https://support.hp.com/us-en/document/c05843704
           

          • 2. Re: Got different result from Intel-SA-00086
            abesi

            and the reality = ???

            Eeny, meeny, miny, moe

            Currently NOT on Lenovo's list of affected laptops .... or should it be ?
            Thank you for looking into it.Wish you less hiccups in 2018.

            • 3. Re: Got different result from Intel-SA-00086
              abesi

              didn't check the version No's as per :

               

              "NOTE : Versions of the INTEL-SA-00086 Detection Tool earlier than 1.0.0.146 did not check for CVE-2017-5711 and CVE-2017-5712. These CVEs only affect systems with Intel® Active Management Technology (Intel® AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 1.0.0.146, or later. Installing this version helps to verify the status of their system with regard to the INTEL-SA-00086 Security Advisory. You can check the version of the INTEL-SA-00086 Detection Tool by running the tool and looking for the version information in the output window."

               

              to download the tool :

              https://downloadcenter.intel.com/download/27150?v=t

               

              and as per Intel's own advisory:

              https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

               

              Affected products are :

              1st, 2nd, 3rd, 4th, 5th, 6th, 7th & 8th Generation Intel® Core™ Processor Family

              Intel® Xeon® Processor E3-1200 v5 & v6 Product Family

              Intel® Xeon® Processor Scalable Family

              Intel® Xeon® Processor W Family

              Intel® Pentium® Processor G Series

              Intel® Atom® C3000 Processor Family

              Apollo Lake Intel® Atom Processor E3900 series

              Apollo Lake Intel® Pentium™

              Celeron™ G, N and J series Processors

               

               

              The "old" CPU versions as well!!! And as I have in this system :

               

              Associated CPU Generation: 3rd Generation Intel® Core™ Processor Family

              Resolved Firmware version : Recommended: Intel® ME 8.1.72.3002 or higher

              Currently ( as of 25 Dec 2017 ) there is NO new firmware to be found under "ThinkPad E530C" .....but found one under :

              https://pcsupport.lenovo.com/gb/en/downloads/DS032435

              and gave it a try with following results:

              can of worms

              success with one and it opened another one = OBSOLETE = ???

              here we go again

              • 4. Re: Got different result from Intel-SA-00086
                Intel Corporation
                This message was posted on behalf of Intel Corporation

                Hi Abesi,

                The Capability Licensing Service (iCLS) is distributed with the Intel® Management Engine driver (the windows driver, not to be confused with the ME firmware that is typically part of the BIOS).

                Lenovo needs to update the ME driver for Windows for your model.

                I will report this to folks that work directly with Lenovo, but you should also report this to Lenovo support.

                FYI, the iCLS is not vulnerable to the issues identified in SA-00086.  Those issues are ME firmware only issues.  Updating the iCLS is not strictly required, but if you use any capabilities that rely on iCLS (an example would be video streaming services) then you will need to update the iCLS to make sure everything runs as expected.